Safety Management Toolkit - Non Complex Operators - Guidance

Safety Management Toolkit - Non Complex Operators - Guidance

 Safety Management Toolkit - Non Complex Operators - Guidance

European Helicopter Safety Team

Safety Management Toolkit

For Non-Complex Operators

Guidance

Edition 2
October 2014

ABOUT THE MANUAL

This is the Guidance Material to the EHEST Safety Management Manual (SMM).

The EHEST SMM has been created by the Specialist Team Operations & SMS of the European
Helicopter Safety Team (EHEST). The EHEST is the European component of the International
 Safety Management Toolkit - Non Complex Operators - Guidance

Helicopter Safety Team (IHST) and the helicopter branch of the European Strategic Safety
Initiative (ESSI).

The SMM for Non-Complex Operators has been developed with consideration of Annex III of
the EU regulation on Air Operations, Part ORO Subpart GEN Section II ‘Management System’
and the relevant AMCs and GM published in October 2012.

It will be particularly useful for Non-Complex operators with limited experience of running a
Safety Management System (SMS).

To give orientation on how to define the nature and complexity of your Company, the criteria
defining a Complex Operator is provided here and set out in AMC1 ORO.GEN.200(b)
Management System as follows.

Size, Nature and Complexity of the Activity:

(a) An operator should be considered as complex when it has a workforce of more than 20
full time equivalents (FTEs) involved in the activity subject to Regulation (EC) No
216/2008 and its Implementing Rules.

(b) Operators with up to 20 FTEs involved in the activity subject to Regulation (EC) No
216/2008 and its Implementing Rules may also be considered complex based on an
assessment of the following factors:

(1) in terms of complexity, the extent and scope of contracted activities subject to the
approval;

(2) in terms of risk criteria, whether any of the following are present:

(i) Operations requiring the following specific approvals: performance-based

navigation (PBN), low visibility operation (LVO), extended range operations
with two-engined aeroplanes (ETOPS), helicopter hoist operation (HHO),
helicopter emergency medical service (HEMS), night vision imaging system
(NVIS) and dangerous goods (DG);

(ii) Different types of aircraft used;

(iii) The environment (offshore, mountainous area, etc.).The Safety Management
Manual (SMM) is the key instrument for communicating the approach to
managing safety within the Company. The SMM documents all aspects of
safety management, including the safety policy, procedures and individual
safety responsibilities.

The SMM may be contained in (one of) the manual(s) of the operator. GM1 ORO.GEN.200(a)
(5) Management System – Management System Documentation – General mentions the
following:

(a) It is not required to duplicate information in other manuals. The information may be
contained in any of the operator manuals (e.g. operations manual, training manual),
which may also be combined.

(b) The operator may also choose to include some of the information required to be
documented in separate documents (e.g. procedures). In this case it should be ensured
that manuals contain adequate references to any document(s) kept separately. Any
such documents are then to be considered an integral part of the operator’s
management system documentation.
 Safety Management Toolkit - Non Complex Operators - Guidance

The SMM has been created by a team of professionals within the EHEST whose experience
covers a variety of different backgrounds including: EASA, National Aviation Authorities,
manufacturers, operators, helicopter associations, operator and pilot associations, etc.

This is a sample manual designed to assist an operator in creating their own manual. It
contains explanatory notes and instructions marked in blue and italic.

The SMM must be adapted to appropriately reflect the operator’s needs and organisation, and
should not be applied ‘just as it is’.

The non-complex manual is derived from the more comprehensive SMM for complex operators.
Please refer to the complex operators SMM manual for a step-up approach to the SMS
organisation.

The user must also understand that having a compliant SMM does not mean that they have an
SMS in place. The SMM is solely a reference document that describes and documents the SMS.
The SMS must then be created through an adequate implementation plan that requires
commitment from the management and the personnel within the company.

The plan includes an assessment of the Company’s organisation and method of managing
safety prior to implementing the SMS (gap analysis), the creation, implementation and revision
of relevant procedures and documentation, and safety training. It should also include the initial
identification of hazards and an assessment of the safety risks faced by the operator in its
various operations.

To assist with this task, the EHEST Safety Management Toolkit provides example registers of
some of the typical helicopter hazards and risks developed by the Safety Department of Airbus
Helicopters. These registers of hazards and risks are a unique feature made available by the
EHEST to the helicopter community. It must however be considered that hazards and risks will
differ depending on the operator, nature of operations and any existing barriers in place.

ACCEPTABLE MEANS OF COMPLIANCE AND GUIDANCE MATERIAL

The link to the Acceptable Means of Compliance (AMC) and Guidance Material (GM) to Part-
ORO is provided here:
http://easa.europa.eu/system/files/dfu/04%20Part-ORO%20(AMC-GM)_Amdt2-Supplementary
%20document%20to%20ED%20Decision%202013-019-R.pdf

Note: Having a separate SMS in place and identified as such in the company’s
organisation is only one way to comply with ORO.GEN.200. The other approach
consists of addressing safety in the Company Management System (integrated
approach). This second approach might be more appropriate for small and very
small operators. Whatever the approach, ORO.GEN.200 requirements have to be
complied with.
 Safety Management Toolkit - Non Complex Operators - Guidance

Table of Contents

ABOUT THE MANUAL.......................................................................................1

Chapter 1 – Definitions....................................................................................5

Chapter 2 - Acronyms......................................................................................5

Chapter 3 – Scope of the Safety Management Manual.....................................5

Chapter 4 – Safety Policy and Objectives........................................................5

Safety Policy.......................................................................................................6

Protection of the Reporters – Just Culture..........................................................7

Chapter 5 – Safety Accountability and Responsibilities...................................8

Chapter 6 – Compliance Monitoring Organisation and Programme................10

Chapter 7 – Documentation Control Procedure.............................................11

Chapter 8 – Safety Risk Management............................................................13

Chapter 9 – Contracted Activities..................................................................31

Chapter 10 – Safety Promotion.....................................................................32

Chapter 11 – Training and Communication on Safety....................................32

Appendix 1 – Risk Assessment, Description, Evaluation And Control

(RADEC) – EXAMPLE....................................................................35
 Safety Management Toolkit - Non Complex Operators - Guidance

Chapter 1 – Definitions

Add any other definitions you may find useful, for instance:

Prevention Barrier

Risk control aimed at preventing Undesirable Events and Undesirable Operational

States.

Recovery Barrier

Risk control aimed at preventing that Undesirable Operational States result in an

accident or, in other words, that an incident scenario escalate into an accident.

Mitigation Barrier

Risk control mitigating the outcome (severity) of an incident or of an accident.

Safety Performance Indicator (SPI)

A data-based safety parameter used for monitoring and assessing performance (ICAO
Doc 9859 AN/474 Safety Management Manual, Third Edition).

Safety Performance Objective (SPO) or Target (SPT)

The planned or intended objective for Safety Performance Indicator(s) over a given
period. Objectives and targets are considered synonymous in this SMM.

Undesirable Event (UE)

Event leading to a stage in the escalation of an accident scenario (Undesirable

Operational State) where the accident can be avoided only through successful recovery
measure(s) or by chance.

Undesirable Operational State (UOS)

The stage where the scenario has escalated so far that the accident can be avoided only
through successful recovery measure(s) or by chance.

Chapter 2 - Acronyms

Add any other acronym you may find useful, for instance:

SPI Safety Performance Indicator

SPO/SPT Safety Performance Objective/Target (synonymous terms)

Chapter 3 – Scope of the Safety Management Manual

Cf. ORO.GEN.200(a)(5) and related AMCs/GM

 Safety Management Toolkit - Non Complex Operators - Guidance

Chapter 4 – Safety Policy and Objectives

Cf. ORO.GEN.200(a)(2) and related AMCs/GM and AMC1 ORO.GEN.200(a)(1);(2);(3);(5)

The Company Safety Policy should include a commitment to: improve towards the highest
safety standards, comply with all applicable legal requirements, meet all applicable standards,
consider best practices and provide appropriate resources.

The safety policy should clearly state that the purpose of safety reporting and internal
investigations is to improve safety, not to apportion blame to individuals.

An example of a Safety Policy adapted from the ICAO Doc 9859 AN/474 Safety Management
Manual, Third Edition is provided below:
 Safety Management Toolkit - Non Complex Operators - Guidance

Safety Policy
Safety is one of our core business functions. We are committed to developing, implementing,
maintaining and constantly improving strategies and processes to ensure that all our aviation
activities take place under an appropriate allocation of organisational resources, aimed at
achieving the highest level of safety performance and meeting regulatory requirements, while
delivering our services.

All levels of management and all employees are accountable for the delivery of this highest
level of safety performance, starting with the Accountable Manager [Chief Executive Officer
(CEO), Executive Director (ED) or Managing Director (MD), as appropriate to the organisation].

We are committed to:

• Support the management of safety through the provision of all appropriate resources,
that will result in an organisational culture that fosters safe practices, encourages
effective safety reporting and communication, and actively manages safety with the same
attention to results as the attention to the results of the other management systems of
the organisation;

• Ensure the management of safety is a primary responsibility of all managers and

employees;

• Clearly define for all staff, managers and employees alike, their accountabilities and
responsibilities for the delivery of the organisation‘s safety performance and the
performance of our safety management system;

• Establish and operate hazard identification and risk management processes, including a
hazard reporting system, in order to eliminate or mitigate the safety risks of the
consequences of hazards resulting from our operations or activities to achieve continuous
improvement in our safety performance;

• Ensure that no action will be taken against any employee who discloses a safety concern
through the hazard reporting system, unless such disclosure indicates, beyond any
reasonable doubt, gross negligence or a deliberate or wilful disregard of regulations or
procedures;

• Comply with and, wherever possible, exceed, legislative and regulatory requirements and
standards;

• Ensure that sufficient skilled and trained human resources are available to implement
safety strategies and processes;

• Ensure that all staff are provided with adequate and appropriate aviation safety
information and training, are competent in safety matters, and are allocated only tasks
commensurate with their skills;

• Establish and measure our safety performance against realistic safety performance
indicators and safety performance targets;

• Continually improve our safety performance through continuous monitoring and

measurement, and regular review and adjustment of safety objectives and targets, and
diligent achievement of these; and

• Ensure externally supplied systems and services to support our operations are delivered
meeting our safety performance standards.
 Safety Management Toolkit - Non Complex Operators - Guidance

(Signed and dated)

Accountable Manager

The Safety Policy states that the purpose of safety reporting and internal investigations is to
improve safety, not to apportion blame to individuals. To this purpose, the last bullet of the
Safety Policy can be expanded in a separate statement, called Protection of the Reporters –
Just Culture. An example is provided below:

Protection of the Reporters – Just Culture1

The Company is committed to operate according to the highest safety standards.

To achieve this goal, it is imperative to have uninhibited reporting of all accidents, incidents,
events, hazards, risks and other information that may compromise the safe conduct of our
operations. To this end, every staff member is warmly encouraged to, and responsible for,
reporting any safety-related information.

Reporting is free of any form of reprisal. The main purpose of reporting is risk control and
accident and incident prevention, not the attribution of blame. No action will be taken against
any staff member who discloses a safety concern through the reporting system, unless such
disclosure reveals, beyond any reasonable doubt, an illegal act, gross negligence, or a
deliberate or wilful disregard of regulations or procedures.

Our method for collecting, recording and disseminating safety information guarantees the
protection to the extent permissible by law, of the identity of those who report safety
information.
(Signed and dated)

Accountable Manager

Acceptable and non-acceptable behaviour?

Just culture is a culture in which front line operators or other members of staff are not
punished for actions, omissions or decisions taken by them that are commensurate with
their experience and training, but where gross negligence, wilful violations and
destructive acts are not tolerated. A just culture facilitates reporting, as staff do not
fear being blamed for the facts they report.
 Safety Management Toolkit - Non Complex Operators - Guidance

The EHEST recommends2 that clear descriptions of behaviour considered by the company as
acceptable (for instance genuine unintentional errors) and non-acceptable (for instance wilful
disregard of procedures, falsification of documentation, sabotage) and of their consequences
(disciplinary policy) are set out such that the differentiation between these two types of
behaviour are perfectly known and understood by everyone.

It is then of primary importance to apply this distinction in a consistent manner, so that

decisions are always interpreted as ‘just’ and that no feeling of injustice could be perceived by
personnel, which could seriously hamper the continued reporting of safety information.

Chapter 5 – Safety Accountability and Responsibilities

5.1 Safety Accountability of the Accountable Manager

Cf. ORO.GEN.210(a)

The Accountable Manager has the authority for ensuring that all activities can be financed and
carried out in accordance with the applicable requirements.

The Accountable Manager is often the Company’s Chief Executive Officer (CEO) or Executive
Director (ED) or Managing Director (MD).

The Accountable Manager is responsible for establishing and maintaining an effective

management system and/or for managing safety in the Company.

5.2 Safety Manager

AMC1 ORO.GEN.200(a)(1);(2);(3);(5) and GM1 ORO.GEN.200(a)(1)

The operator should identify a person who fulfils the role of Safety Manager.

The Safety Manager is responsible for coordinating the safety management system.

This person may be the Accountable Manager or a person with an operational role in the
Company.

Depending on the size of the operator and the nature and complexity of its activities, the
Safety Manager can be assisted by additional safety personnel for the performance of all safety
management related tasks. State which members of staff have been designated to assist the
Safety Manager, if applicable.

Regardless of the organisational set-up it is important that the Safety Manager remains the
unique focal point as regards the development, administration and maintenance of the SMS.

Note: It is intended that hazard identification, risk assessment, evaluation and

control become an integral part of day-to-day business. Day-to-day supervision
of the operations and therefore safety is the responsibility of the managers and
all the personnel. The Safety Manager is responsible for the supervision and

Not in the EASA AMC.

 Safety Management Toolkit - Non Complex Operators - Guidance

facilitation of the processes to support managers in developing processes,

procedures and work instructions for the staff under their supervision to perform
their activities in a safe manner.

5.3 Manager(s) (Delete if not applicable)

Cf. ORO.GEN.210(b)

The term ‘manager(s)’, also called ‘head(s) of operational areas’, is used as per ORO.GEN.210
Personnel Requirements (b), which states that a person or group of persons shall be
nominated by the organisation, with the responsibility of ensuring that the organisation
remains in compliance with the applicable requirements (regulations, standards, Company’s
procedures, etc.). These person(s) shall be ultimately responsible to the Accountable Manager.

The manager(s) are responsible for ensuring compliance with all applicable requirements,
including those regarding the management of safety.

Note: Managers are an important driving force of effective safety management. They
make sure that safety aspects are considered and properly dealt with in all
activities they manage..

5.4 Personnel

Cf. ORO.GEN.210(c), (d) and (e)

In order for each staff member to easily understand their roles and responsibilities within the
SMS, it is recommended that roles and responsibilities be defined within the job descriptions.

5.5 Compliance Monitoring Manager

Cf. ORO.GEN.200(a)(6) and related AMCs and GM

The Compliance Monitoring Manager is responsible for ensuring that the compliance monitoring
programme is properly implemented, maintained and continually reviewed and improved.

The Compliance Monitoring Manager should have direct access to the Accountable Manager.

For a Non-Complex operator, the tasks of the Compliance Monitoring Manager may be
exercised by the Accountable Manager, provided that he/she has the necessary competences.
He or she must demonstrate relevant knowledge, background and appropriate experience
related to the company activities; including knowledge and experience in compliance
monitoring, and also have access to all parts of the operator, and as necessary, any contracted
operator.

In the case the same person acts as Compliance Monitoring Manager and as Safety Manager,
the Accountable Manager, with regards to his/her direct accountability for safety, should
ensure that sufficient resources are allocated to both functions. The company should indicate
whether the Compliance Monitoring Manager also acts as the Safety Manager.
The independence of the compliance monitoring function should be established by ensuring
that audits and inspections are carried out by personnel not responsible for the function,
procedures or products being audited.
 Safety Management Toolkit - Non Complex Operators - Guidance

Chapter 6 – Compliance Monitoring Organisation and Programme

Cf. ORO.GEN.200(a)(6) and related AMCs and GM

The implementation and use of a compliance monitoring function allows an operator to monitor
compliance with all relevant requirements, including those of the SMS. In doing so, they should
as a minimum, and where appropriate, monitor compliance with the company procedures that
were designed to ensure safe operating activity.

The compliance monitoring programme covers, as a minimum and where appropriate, the
scope of approved operations; manuals, logs, and records, training standards, management
system procedures and manuals.

The Compliance Monitoring Programme may be described in a separate document or in

another manual.

6.1 Audits and Inspections

Cf. GM3 ORO.GEN.200(a)(6)

Compliance monitoring audits and inspections may be documented on a ‘Compliance

Monitoring Checklist’, and any findings recorded in a ‘Non-Compliance Report’.

Cf. GM1 ORO.GEN.200(a)(6)(a)

Auditors (either internal or external) shall have the relevant knowledge, background and
appropriate experience related to the activities of the operator, including knowledge and
experience in compliance monitoring.

The Company Auditor(s) demonstrate diplomacy, independence, ethics, and possess good
verbal and written communication skills.

6.2 Organisational Set-Up (Delete if not applicable)

The Compliance Monitoring Manager may be assisted by dedicated personnel and/or an

external organisation. Describe the company Compliance Monitoring organisation and how
independence is assured, how audits are planned and how consideration is given to past
compliance monitoring activity and results.

6.3 Compliance Monitoring Documentation

It shall also include the training syllabus and document control.

Please provide information relating to the Compliance Monitoring Documentation or insert a

reference as to where this information is recorded and documented.
 Safety Management Toolkit - Non Complex Operators - Guidance

6.4 Compliance Monitoring Training

Cf. AMC1 ORO.GEN.200(a)(6)(e)(1)

The Company shall ensure that all personnel engaged in managing the compliance monitoring
function understand the objectives as laid down in the company management system
documentation.

Cf. AMC1 ORO.GEN.200(a)(6)(e)(2)

The company shall ensure that those personnel responsible for managing the compliance
monitoring function, i.e. the Compliance Monitoring Manager and his/her team, receive
appropriate training for this task. This training shall cover the requirements of compliance
monitoring, manuals and procedures related to the task, audit techniques, reporting and
recording.

Please provide information relating to Compliance Monitoring Training or insert a reference as

to where this information is recorded and documented.

Chapter 7 – Documentation Control Procedure

7.1 General

Cf. ORO.GEN.200(a)(5) and related AMCs and GM

The operator’s management system documentation may be included in a separate manual or

in one of the manual(s) as required by the applicable implementing rule(s), and
where appropriate cross references should be included. The company management system
documentation should at least include the following information:

• a statement signed by the Accountable Manager to confirm that the operator will
continuously work in accordance with the applicable requirements and the operator’s
documentation;

• the operator's scope of activities;

• the names and functions of the Accountable Manager and his or her management team
(ref. ORO.GEN.210 (a) and (b));

• an organisation chart showing the lines of responsibility between the persons referred to
in ORO.GEN.210;

• a general description and location of the facilities referred to in ORO.GEN.215;

• procedures specifying how the operator ensures compliance with the applicable
requirements;

• the amendment procedure for the operator’s management system documentation.

7.2 Control and Revision of the Safety Management Manual

The SMM should describe how this manual is controlled and revised over time, and how
revisions are disseminated within the organisation.
 Safety Management Toolkit - Non Complex Operators - Guidance

7.3 Record-Keeping

Cf. ORO.GEN.220(b) and related AMC1 and GM1

An effective system of record-keeping ensures that all records are accessible whenever needed
and within a reasonable time. These records should be organised in such a way that ensures
traceability and accessibility throughout the required retention period.

In order to ensure easy and fast access to information, including access by national
authorities, the company records should:

• be adequately referenced (author, title, issue date, revision number and date, list of
effective pages),

• archived/kept as records during a determined period of time,

• and disposed of in a controlled manner after this defined period of retention.

Records are to be kept in paper format, in electronic format or a combination of both. Records
stored on microfilm or optical disc format are also acceptable; however, no matter which
format is employed records must remain legible throughout the required retention period.
Define the retention methods used in the Company.

Microfilming or the optical storage of records may be carried out at any time. The records
should be as legible as the original record and remain so for the required retention period. The
retention period starts when the record has been created or last amended.

Paper systems should be on a robust material which can withstand normal handling and filing.
Computer based systems should have at least one backup system which should be updated
within 24 hours of any new entry. Computer based systems must include appropriate
safeguards against the possibility of access by unauthorised personnel to prevent tampering
with the data.

All computer hardware used for data backup must be located in a different location from that
containing the original working data, and in an environment that ensures they remain in good
condition. When hardware or software-changes take place, special care is to be taken to
ensure that all necessary data continues to be accessible throughout at least the full period
specified in the relevant implementing rule(s). In the absence of such indication, all records
should be kept for a minimum period of 5 years.
 Safety Management Toolkit - Non Complex Operators - Guidance

Chapter 8 – Safety Risk Management

Cf. ORO.GEN.200(a)(3)

Safety Risk Management combines the following processes and components:

• Hazard identification, risk assessment and mitigation processes

• Internal safety investigation

• Safety performance monitoring and measurement

• The management of change

• Continuous improvement

• The Emergency Response Plan (ERP)

For Non-Complex operators, safety risk management may be performed using hazard
checklists or similar risk management tools or processes, which are integrated into the
activities of the operator.

Note: EHEST suggests using the Risk Assessment, Description, Evaluation and
Control (RADEC) form (see the example in Appendix 1) for the assessment and
management of safety risks.

Elements that influence Risk Management:

COMMUNICATION AND CONSULTATION

Good communication within the organisation and, where relevant, with external parties (such
as customers, partners, or contractors) should help ensure access to all relevant information,
and assist in ensuring buy-in from all those that may be affected by the risk management
activities or the actions taken. Communication and consultation should take place at all
relevant stages of the process.

REGULATORY REQUIREMENTS – RISKS ADDRESSED BY REGULATIONS

Regulations are generally developed to control common safety risks that stem from specific or
general hazards through prescriptive rules, technical standards in the areas of technology,
training, or task performance. Such hazards controlled by regulations do not need to be further
addressed in the operator’s risk assessment, unless evidence exists that the regulatory
provision is not sufficient. If the regulation is not specific, has several options, or directly calls
for a risk assessment; the hazards obviously should be assessed, and the appropriate
provisions implemented.

Note on Industry Standards and Best Practices:

When a company develops Standard Operating Procedures (SOPs) based on industry

standard/best practice, it should still perform its own risk assessment to ensure that the SOPs
are appropriate and customised to its own activities.
 Safety Management Toolkit - Non Complex Operators - Guidance

ORGANISATION’S RESOURCES

Available resources are relevant with respect to both capacity and competence:
(i) for the risk assessment process itself (see next page); and
(ii) for the activity being assessed, (aircraft, equipment, personnel, finances, etc.).

The organisation’s current resources in terms of equipment and personnel are normally
considered in the risk assessment. One outcome of a risk assessment may be that the operator
does not possess the right equipment or personnel for the activity.

8.1 Scope of Safety Risk Management

The safety risk management process addresses aviation safety risks.

The risk assessment process considers technical, human and organisational, and
environmental aspects, as well as financial, legal, or economic aspects and all significant
influences that may adversely impact aviation safety risks.

Risk management can also be expanded other types of risks, such as Health and Safety risks.

The organisation should be able to identify all significant influences that may impact aviation
safety and/or Health & Safety. However, Health and Safety aspects are not addressed in the
EU regulation on Air Operations. Check with your Competent Authority for possible SMS
requirements regarding Health and Safety.

8.2 Safety Risk Management Concepts

Preparation

PLANNING

The Safety Risk Assessment will be initiated in time for the results to be available before any
decisions regarding the activity concerned have to be made.

SYSTEM DESCRIPTION

The activity to be analysed will be described in terms of systems and processes.

WORKING GROUP

The Safety Manager will determine the need for a dedicated working group comprised of
suitable subject matter experts and personnel that are to be involved in the activity.

SELECTION OF METHOD AND DATA BASIS

The following methods and databases can be used for a risk assessment:
 The methodology described in Chapter 8 of this manual.
 The Safety Manager will decide whether, and what other methods and sources will be
used to identify hazards and hazard consequences and assess risks.
 Company databases containing:
o information resulting from the investigation of internal occurrences and
accidents; and/or
o reported deviations and proposals for improvement; and/or
 Safety Management Toolkit - Non Complex Operators - Guidance

o experience collected from the monitoring of normal operations.

 Company databases may be augmented with similar data exchanged with other
operators.
 The Safety Manager will decide whether to use additional data sources.
 Whenever possible, the process of risk assessment will be built upon experience derived
from risk assessments carried out previously.

The ‘Safety Bowl’ described below is a good, practical safety risk and risk control model.

The purpose of this approach is to consider Undesirable Events (UEs) as an intermediate step
between hazards and risks, and incidents and accidents.

Hazards can, in isolation or in combination, lead to UEs.

UEs trigger a stage in the escalation of an accident scenario, called the Undesirable Operational
State (UOS), where the scenario has escalated to the point that the accident can only be
avoided through successful recovery measure(s) or by chance.

Risk Controls aimed at preventing UEs and UOSs are prevention barriers. Controls that prevent
a UOS resulting in an accident are identified as recovery barriers, while controls that mitigate
the effect of an incident or accident are called mitigation barriers.

UE On
(Undesirable Events)
identifie les are identified
EI comme les pointsas points of
de perte deofcontrôle
loss control sur la situation
on the
situation
UE =EI=
Any eventévéwhich
nemenwould result
à partir in an accident
duquel
s é Tout
if no efficient
t recovery é velopperait
action
une was si
taken
action écu é une ’ tait
r p déclenc ée é pas
PREVENTION h
UE
RECOVERY

3 types of Risk Controls:

Prevention, Recovery, and
Safety Model:
Mod é curit é : Mitigation
The accident is
L ’accident est
considered
consid é réascomme
a loss
of une
control onde
perte the MITIGATION
situation
ACCIDENT

Figure 1 – The ‘Safety Bowl’ Safety Risk Control Model

(Source Dédale and Air France)

The Safety Bowl model is an intuitive illustration of accidents seen as ‘loss of control’ on the
situation. The bowl represents the safe envelope within which operations should be kept, while
the position of the UEs represent the departure into either accident or incident scenarios.
Recovery comes after control is lost to prevent consequences from developing and can as well
restore balance (bringing the ball back into the Safety Bowl). The model also illustrates the
importance of monitoring and managing the risk controls in place and the need to introduce or
adapt risk controls when necessary.
 Safety Management Toolkit - Non Complex Operators - Guidance

8.2.1 Hazard Identification

A good point to start with is to answer the following question:

What am I the most afraid of in my activity?3 For instance:

 Controlled Flight Into Terrain (CFIT), Controlled Flight Into Wires (CFIW),
antenna/wire strikes, main or tail rotor obstacle strike, etc.?
 Non-stabilised approach?

 Loss of control, inadvertent entry into IMC?

 Ground collision?

 Mid-air collision?

 Loss of Tail Rotor Effectiveness (LTE)?

 …

Make a list of the 10 most risky activities/situations that came up, and then study them in
detail.

Hazards are elements that, in isolation or in combination, may have contributed or could
contribute to an incident or accident. They can be identified from different internal and
external source.

During the hazard identification process, do not confuse ‘Hazards’ with ‘Consequences of
hazards’. ‘Hazards’ are situations, conditions, elements, environments that naturally exist, or
which we normally work with, that are a source of danger but do not necessarily result in
incidents or accidents. They can nevertheless lead to negative outcomes called ‘Hazard
Consequences’.

Consider the following example (source Airbus Helicopters):

Examples of Hazards and Their Effects

Example of Hazard
Workplace Hazard Example of Hazard Consequence (Harm
Caused)

Tool Knife Cut

Substance Benzene Leukaemia

Material Asbestos Mesothelioma

The EHEST Safety Leaflets provide suggestions and best practises on how to address these
subjects.
 Safety Management Toolkit - Non Complex Operators - Guidance

Source of Energy Electricity Shock, electrocution

Condition Wet Floor Slip, falls

The hazard identification process may combine different approaches:

The reactive approach (reactive scheme) consists of analysing accidents and incidents that
have occurred and trying to understand why. Based on the analysis of reported accidents and
incidents, the following questions should be asked:

 What accidents or incidents did happened to us and why?

 For what reasons did these occur? What were the causal factors?
 What barriers or risk controls failed and what barriers worked? Should existing
barriers be reinforced or additional barriers be introduced?

The proactive approach (proactive scheme) consists of analysing the conduct of operations
to identify potential hazards and assess and mitigate the associated risks before they result in
an accident or incident. This approach should trigger the following questions:

 What accidents or incidents could happen to us and why?

 For what reasons could these occur?
 Do we feel sufficiently protected? Are there any actions we should take now to
prevent these from occurring?

The proactive scheme also feature a predictive component. It consists of conducting a

predictive analysis using, for example, data extrapolation (such as estimating the future risk
level based on the data collected over the past 3 or 5 years) or statistical modelling (a more
complex way). This predictive approach aims to identify and mitigate risks before they become
evident (addressing today the risks of tomorrow). This approach poses the following questions:

 What accidents or incidents could happen to us in the future and why?

 Do we feel sufficiently protected? Are there any actions we should take now to
prevent these from occurring (addressing today the risks of tomorrow)?

The predictive and proactive approaches are very effective tools for the management of safety,
they should build upon solid reactive processes.
 Safety Management Toolkit - Non Complex Operators - Guidance

8.2.2 Hazard Consequences

Hazards are different from hazard consequences. For instance, a cumulonimbus constitutes a
hazard4 for a helicopter flying in its vicinity (less than 5NM). The consequences of this hazard
can include: heavy turbulence that could induce total loss of the aircraft; lightning that could
result in technical damage and/or injury; hail that can damage the structure and the blades;
heavy rain that can result in an engine flame out; icing that increases the helicopter mass,
affects the aero-dynamical profile, alters the rotor blades profile and may block the cyclic
swash-plate; etc.

The consequences can be identified based on the information about the hazards and their
context.

It is also worth noting that the absence of past incidents/accidents does not mean
absence of risk! It is therefore important to identify the underlying hazards and their
consequences and to assess the risks, even when no incidents or accidents have happened.

8.2.3 Risks Controls

Information on risk controls can be found in various sources such as technical publications,
safety magazines, websites such as www.IHST.org, www.EHEST.org, www.skybrary.aero, etc.

8.3 Safety Risk Management Steps

8.3.1 Initial Safety Risk Level Evaluation

The initial step consists of answering the two following questions:

- What is the severity of the consequences of the hazards we are dealing with?
- And how likely or probable are these hazard consequences?

A Risk Matrix is a good tool to describe, assess and evaluate the risks. EHEST therefore
proposes to use the Risk Matrix described in this Section. However, using a Risk Matrix is not
mandatory for Non-Complex Operators.

8.3.1.1 Analysis of Likelihood or Probability

Likelihood or probability values (how likely or probable are the various hazard consequences)
are estimated through expert judgement, or on the basis of frequencies observed within the
Company or provided for the sector, type of operations, type of machine(s), etc.

And a ‘threat’ in the sense of the Threat and Error Management (TEM) model.
See for example:
http://www.skybrary.aero/index.php/Threat_and_Error_Management_(TEM).
 Safety Management Toolkit - Non Complex Operators - Guidance

Likelihood or probability may be expressed using terminology such as ‘very low, low, medium,
high and very high’.

The following table is an example of what a Company may use for determining likelihood:

RISK MEANING VALUE

LIKELIHOOD

Likely to occur many times. Has already occurred in 5

the Company (Freq. > 3 times per year –
FREQUENT
indicative*). Has occurred frequently in the
history of the aviation industry.

Likely to occur sometimes. Has already occurred in 4

the Company (Freq. < 3 times per year –
OCCASIONAL
indicative*). Has occurred infrequently in the
history of the aviation industry.

Unlikely to occur, but possible. Has already occurred 3

REMOTE in the Company at least once or. Has seldom
occurred in the history of the aviation industry.

Very unlikely to occur. Not known to have occurred in 2

IMPROBABLE the Company but has already occurred at least
once in the history of the aviation industry.

Almost inconceivable that the event will occur. It 1

EXTREMELY
has never occurred in the history of the aviation
IMPROBABLE
industry.5

* Indicative: depends on the size of the Company and volume of activity. Use figures
adapted to your Company.

Below are examples of methods6 that the Company may use for causal and likelihood analysis
(not mandatory for Non-Complex operators):
• Fault tree analysis;

• FMECA (Failure Mode, Effects and Critical Analysis);

• Influence diagrams;

• Bow-Tie diagrams;

• Brain storming.

Note however that even extremely improbable events may occur.

6

Consult for instance Skybrary or Wikipedia for a description of these methods.

 Safety Management Toolkit - Non Complex Operators - Guidance

As the risk assessment progresses, an iterative process may help to identify new factors and
barriers. These can then be included in the analysis.

Considering human and organisational factors and their possible contributing effect in incident
and accident scenarios may help assessing the likelihood of hazard consequences. Direct
causes (‘unsafe acts’), workplace factors and organisational factors (‘latent conditions’) may be
considered.

The effects of existing risk controls that influence the chain of events are also considered and
documented, taking into account the following elements:
• Certification requirements;

• Maintenance procedures;

• Existing normal and abnormal procedures;

• Technical measures/equipment;

• Training;

• Other human and organisational factors.

Causal analysis, supported for instance by Bow-tie type diagrams, can be performed to the
level of detail necessary to establish relevant likelihood or probability values.

8.3.1.2 Analysis of Severity

Severity values (how severe are the various hazard consequences) are estimated through
expert judgement, or on the basis of severities observed within the Company or provided for
the sector, type of operations, type of machine(s), etc.

Severity can be expressed using terminology like ‘very small, small, medium, large and very
large’. The meaning of each term is then expressed in words and/or numbers or ranges.

Below is an example table that the Company may use for determining severity:

MEANING VALUE
SEVERITY OF
OCCURRENCE MATERIAL VALUES &
PERSONNEL ENVIRONMENT REPUTATION
ASSETS

Massive effects
Multiple (pollution, Catastrophic financial loss International
CATASTROPHIC E
fatalities destruction, Damage > 1 M€ (*) impact
etc.)

Severe financial loss with

Effects difficult National
HAZARDOUS Fatality long term effects D
to repair impact
Damage < 1 M€ (*)

MAJOR Serious Noteworthy Substantial financial loss Considerable C

 Safety Management Toolkit - Non Complex Operators - Guidance

injuries local effects Damage < 250K€ (*) impact

Financial loss with little

Light Limited
MINOR Little impact impact B
injuries impact
Damage < 50K€

Superficial Financial loss with

Negligible or no Light or no
NEGLIGIBLE or no negligible impact A
effects impact
injuries Damage < 10K€ (*)

* Indicative: depends on the size of the Company and volume of business. Use figures
adapted to your Company.

8.3.1.3 Risk Description and Evaluation

Risk description consists of combining Risk Likelihood or Probability and the Risk Severity, and
risk evaluation consists of determining risk acceptability or tolerability (whether the risks are
acceptable or not).

This risk description and evaluation can be performed using a colour-coded Risk Tolerability
Matrix.

An example is provided below:

RISK SEVERITY
RISK
LIKELIHOOD
NEGLIGIBLE (A) MINOR (B) MAJOR (C) HAZARDOUS (D) CATASTROPHIC (E)

FREQUENT (5) 5A 5B 5C 5D 5E

OCCASIONAL (4) 4A 4B 4C 4D 4E

REMOTE (3) 3A 3B 3C 3D 3E

IMPROBABLE (2) 2A 2B 2C 2D 2E

EXTREMELY
1A 1B 1C 1D 1E
IMPROBABLE (1)

Note: Completing the matrix without genuine safety reasoning based on facts and
relations between facts, is of limited use. A team analysis among specialists of
different domains (Working Groups) relevant to the operation(s) being
 Safety Management Toolkit - Non Complex Operators - Guidance

examined helps in assessing the risk in a realistic manner. The evaluation of

risk should be based on a systematic analysis of the operation concerned.

Unacceptable Risk Level - the red zone in the matrix: risk is too high to continue operating.

Action required: Prohibit/suspend the operation. Operation may be resumed only when risk
level is returned to tolerable or acceptable.

Tolerable Risk Level - the yellow zone in the matrix: the risk level can be tolerated for the
operation, providing that appropriate mitigation measures are in place.

Action required: Introduce appropriate mitigation measures.

• For the risk evaluation validation: The assumptions made for the determination of the
risk level and its tolerability are to be validated by the Safety Manager.

• For the authorisation of operations: Management who have the authority to authorise
operations at this level of risk: the Accountable Manager.

Acceptable Risk Level - the green zone in the matrix: risk is tolerable and can be accepted
for the operation.

Action required: Monitor. Risk is considered sufficiently controlled and no additional risk
mitigation measures are required. However, actions may still be taken to further reduce the
risk level if feasible and reasonable. Additionally, any assumptions used to make an
assessment must be monitored to ensure they remain valid.

The red, yellow and red zones are also used in the RADEC form with the same
meaning.

8.3.2 Identification of Additional Controls

Identification of Risk Controls

The risk evaluation forms the basis for deciding on risk controls, also called mitigation
measures, and in assessing the effectiveness of the risk controls already in place.

Risk Control Priorities

(Additional) risk control measures are selected based on the following priorities:
1. Eliminate the consequences of the hazard;
2. Reduce the likelihood or probability of occurrence;
3. Reduce the severity.
 Safety Management Toolkit - Non Complex Operators - Guidance

Risk Control Types

Examples of risk controls include:

• Passive technical controls (e.g. system redundancy, firewall);

• Active technical controls (e.g. automatic fire extinguishing system).

Risk controls can address technical, human, organisational and environmental factors.

All personnel may contribute to the definition of risk control measures in particular where they
concern personal equipment (goggles, helmets and other flight equipment), by their
acceptance and use.

8.3.3 Final Safety Risk Level Evaluation

Risk Control Effect Assessment

The risk mitigating effect of the new controls envisaged are assessed with respect to:
• Functionality: Does the measure influence the ability to perform the activity?

• Robustness: Will the measure be effective under varying conditions and over time?

• Possible other effects such as the introduction of new hazards, of new hazard
consequences and related risks.

Risk Transfer or Substitution Risks

When identifying risk control measures, any new hazard, or hazard consequence that may
arise from the implementation of such measures should be identified.

Risk is re-assessed considering the effects of the proposed risk control effects, as illustrated in
the table below:

Hazard
Consequence Initial Risk Level Risk Control Resulting Risk Level
Assessed

Hazard Cons. 1

Hazard Cons. 2

Hazard Cons. n
 Safety Management Toolkit - Non Complex Operators - Guidance

The measures are not necessarily sufficient to bring the risk level back to an acceptable or
tolerable level in a first round: if the risk acceptance criteria require further risk reduction, the
comparison (iterative process) describes the optimisation process: existing risk controls are
improved or new risk controls are considered until the risk is considered acceptable.

The risk analysis should focus on flight safety. In addition, EHEST encourages to address the
safety of personnel and of third parties 7. The analysis can also be expanded to address
material, the environment, and the company’s reputation 8.

Cost Benefit Analysis

The t alternative risk controls should be subjected to a Cost Benefit Analysis 9, which helps
determine the most appropriate measures. The mitigation considered appropriate should
achieve the safety benefits desired and should be economically acceptable.

An example of a Cost Benefit Matrix is provided below:

BENEFITS

High Average Low

Low 1 2 3
COSTS
Average 2 3 4

High 3 4 5

Figure 2 – A Simple Cost Benefit Analysis Matrix

Source: D. Huntzinger, formerly with Airbus Helicopters

Acceptance criteria with regards to the costs of implementing risk controls and the expected
benefits should be endorsed by the Accountable Manager.

Mention in a separate document the acceptance criteria used within your company.

EHEST suggests using a single Risk Assessment, Description, Evaluation and Control
(RADEC) form for any application requiring to assess and manage risks, such as SOP
preparation, management of change, etc.

Not in the EU regulation on Air Operations. Check with your National Authorities for possible
SMS requirements regarding Health and Safety.
8

Annex III to the EU regulation on Air Operations, Part ORO.GEN(a) (1);(2);(3);(5)

Management System only addresses aviation safety.
9

Not mentioned in the EASA AMC.

 Safety Management Toolkit - Non Complex Operators - Guidance

The RADEC form can also support the analysis of safety reports.

An occurrence can be understood as the realisation of one or several hazards or hazards

consequences:
 The list of hazards (situations) related to the occurrence are reported in the Hazard
section of the RADEC form;
 The list of actual negative events or possible negative events related to the occurrence
are analysed and reported in the Hazard Consequences section.
 Suggested additional controls are reported in the Additional Controls section and
implementation status are also reported.

RADEC forms and associated documentation are kept as records.

An example of application of the RADEC form to is provided in the Appendix 1.

8.3.4 Implementation of Risk Controls

Implementation of the risk control (mitigation) measures may, depending on the nature of
these measures, give rise to an implementation plan identifying who is in charge, the
resources needed, the deadline, and the stages of implementation.

The implementation plan is periodically reviewed until it is completed or revised.

8.3.5 Evaluation of Risk Control Efficacy

The final steps consists of checking the efficacy of the safety risk control measures
implemented. This aspect is addressed in the section Safety Performance Monitoring and
Measurement on the SMM.

8.4 Occurrence Reporting and Internal Safety Investigations

Cf. AMC1 ORO.GEN.160 and related AMC

Mention the procedure, legal deadline, and forms by which the company reports the reportable
occurrences, serious incidents and accidents to your National Aviation Authority and Accident
Investigation Board,in compliance with applicable regulations.

The scope of the occurrence reporting scheme can also be expanded to include occurrences not
reportable to the authorities.

8.4.1 Occurrence Reporting Scheme

Cf. GM1 ORO.GEN.200(a)(3)

The overall purpose of the occurrence reporting scheme is to make best use of reported
information to improve the level of safety performance but not to attribute blame.

The objectives of the occurrence reporting scheme are to:

 Safety Management Toolkit - Non Complex Operators - Guidance

• Enable an assessment to be made of the safety implications of each relevant incident and
accident, including previous occurrences of a similar nature, so that any necessary action
can be initiated, and

• Ensure that knowledge of relevant incidents and accidents is disseminated, so that other
persons and other operators may learn from them.

The scheme is an essential part of the overall monitoring function and it is complementary to
the normal day-to-day procedures and ‘control’ systems and is not intended to duplicate or
supersede any of them. The scheme is a tool to identify and analyse those instances where
procedures appear to have failed or where there was a failure to apply the procedures.

All occurrence reports judged reportable by the person submitting the report will be retained
as the significance of such reports may only become obvious at a later date.

Every occurrence identified through occurrence reports, voluntary reports or other sources
provides the opportunity to draw safety lessons. Learning from experience is only possible if
events are reported and analysed and their causes and factors (technical, operational, or
environmental) are determined and analysed.

On a daily basis, occurrences (down to simple malfunctions) may affect any process. Some of
these occurrences are defined as accident precursors. Accident precursors are occurrences
which, without appropriate mitigation, can result in Undesirable Events or accidents.

The Safety Manager is to record, analyse and monitor these occurrences.

The RADEC form supports the analysis of safety reports: occurrences are reported in the
RADEC forms for analysis, risk management and recording purposes.

In addition, several occurrence reporting forms and tools are provided in the EHEST SMM
for Complex Operators. You may also consider using the file "Database Incidents.xls” provided
there.

Occurrences may also be reported verbally, by email or on a simple sheet of paper to the
Safety Manager.

Reports will be treated as confidential and/or anonymous at the reporter’s request.

Reporting occurrences is essential for improving safety and is strongly encouraged. In return,
the Company guarantees that the reporter(s) will not be punished for reporting safety
concerns except in the case of illegal act, gross negligence, or a deliberate disregard for
regulations and applicable procedures. See the Section Safety Policy and Objectives of the
SMM.

8.4.2 Internal Safety Investigations (Not binding for non-complex operators)

Investigation procedure:

Stage Remarks
 Safety Management Toolkit - Non Complex Operators - Guidance

Decision to launch an • Put together an investigating team.

investigation

Activity planning • Define and breakdown the activities.

• Define the investigation needs.

Data collection • Collect evidence about the event. The following relevant
sources can be used:
o Physical examination;
o Documentation and files;
o Interviews with the persons involved;
o Observation of actions;
o Simulations;
o Expert consultancy;
o Safety database.

Scenario identification • Identify/reconstruct the scenario.

Scenario analysis • Analyse the facts, determine the causes and identify the
associated hazards.
• Integrate all investigation elements.

Risk assessment • Determine risk level and assess risk acceptability.

Risk control/mitigation • Identify and assess risk controls/mitigations.

analysis

Correction/prevention • Determine corrective/preventive action.

Safety communication • Communicate the investigation results to all those

concerned.

Completion of the • Close and archive the file.

investigation

8.5 Safety Performance Monitoring and Measurement (Not binding for non-
complex operators)

See the example form in in Appendix 2.

If you use SPIs and SPOs, please list them in a document separate from the SMM. It is also
useful to be display their evolution over time.

The process for determining quantitative Safety Performance Objectives for a given period
consists of:
1. Measuring the baseline against which safety improvements are to be assessed,
 Safety Management Toolkit - Non Complex Operators - Guidance

2. Fixing reasonable, yet ambitious targets, and

3. Monitoring target achievement over time and reviewing targets as necessary.

The Safety Manager shall ensure that both the SPOs and the SPIs are pertinent and
documented.

In the annual safety review with the Accountable Manager, the objectives of the year will be
reviewed and new objectives will be defined for the year to come.

STEPWISE APPROACH TO SAFETY PERFORMANCE MEASUREMENT (Optional)

At different levels of maturity of the SMS, the amount of safety data available and the issues
and actions that are most important for improving safety performance will differ. The company
can therefore adopt a step-wise approach to safety performance measurement 10, based on
three levels of SMS maturity:

LEVEL 1 OF SMS IMPLEMENTATION: PRESENT AND SUITABLE

At the first level, the SMS will have achieved compliance with the applicable requirements.
SPIs should focus on the activities required to maintain basic compliance with the SMS
regulatory framework. These can be of a quantitative (numerical) or qualitative (non-
numerical) nature.

Quantitative indicators (examples):

• the number of safety reviews performed;

• the number of staff who received training on SMS;

• the number of internal audits performed versus number of audits planned;

• etc.

Qualitative indicators (examples):

• feedback received from staff on the safety policy;

• feedback received on the safety actions, safety meetings, safety campaigns that the
Company may have organised;

• feedback received from staff on new procedures implemented in the area of internal
occurrence reporting or hazard identification;

• etc.

Once the SMS is in place and compliance with requirements has been achieved, new level 2
indicators can be introduced to address safety performance (are we getting safer?).

10

Not in the EASA AMC.

 Safety Management Toolkit - Non Complex Operators - Guidance

LEVEL 2 OF SMS IMPLEMENTATION: OPERATING AND EFFECTIVE

At this level, the company will start to define more specific SPIs on the basis of safety data
collected through the hazard identification and internal occurrence reporting processes (see
the relevant sections of this guidance document).

More specific, objective and reliable ‘leading’ or ‘forward looking’ performance indicators are
introduced such as:
• the number of risk assessments performed following organisational changes;

• the percentage of SOPs that have been subject to hazard identification;

• average lead time for completing corrective actions following internal audit;

• number of additional procedural controls implemented;

• etc.

At this level of SMS maturity, the Company will be getting a better picture of the risks affecting
the operations and the solidity of the risk controls in place.

LEVEL 3 OF SMS IMPLEMENTATION: BEST PRACTICE

Level 3 is the level where the company will have achieved continuous learning and
improvement for all parts of the SMS.

At this maturity level, effective hazard identification and risk assessment processes are
established that will allow it to derive or to use a more sophisticated mix of SPIs.

SPIs focus on the risks specific to the company revealed by operating the SMS and from
additional safety information identified within the industry sector or by the authorities 11.

SPIs should address risk levels and the solidity of the risk controls.

Risk mitigation actions focus on those issues that present the greatest risks or offer the
greatest potential for improvement.

Quantitative indicators (examples):

• Number of high risk occurrences (coded amber and red),

• Mean value of risk ratings (over a reference period, e.g. 1 year),

• Solidity of risk controls(rated from 0 to 5 over a reference period, e.g. 1 year).

The effectiveness of any new risk control introduced should also be assessed.

8.6 Emergency Response Planning

Cf. AMC1 ORO.GEN,200(a)(1);(2);(3);(5) point (f)

11

Data collected within the company may not be sufficient or representative enough to perform
realistic risk assessment. Relevant industry safety data can therefore also be taken into
account to assess the risks.
 Safety Management Toolkit - Non Complex Operators - Guidance

An example of an Emergency Response Plan developed by the EHEST is provided in a separate

document

8.7 The Management of Change

AMC1 ORO.GEN.200(a)(1);(2);(3);(5)

Change Impact Assessment Procedure

1. Identify the nature and scope of the change(s).

2. Identify key personnel who will assist in implementing the change and the mitigation
measures required, and involve them in the change management process.

3. Perform an initial Impact Assessment covering:

o The Company’s operational procedures (Operations Manual, Standardisation Manual,

Maintenance Training Organisation Exposition (MTOE), etc.),

o Work organisation (staffing, composition of the teams, scheduling, additional

training, etc.),

o Infrastructure (relocation, parking base, etc.),

o Maintenance of equipment or of the aircraft.

4. Perform a Safety Risk Analysis (See the Risk Management section):

o Identify hazards related to implementing the proposed change and their possible
consequences,

o Identify existing risk controls and define, as appropriate, additional mitigation

measures.

5. Define an implementation plan.

6. Assess related financial costs.

7. Communicate the proposed change to the staff and involve them in the project in an
effort to garner their support.

8. Implement the actions as defined in the plan.

9. Check the overall effects through the established Safety Performance Monitoring and
Measurement process.

8.8 Continuous Improvement (not binding for non-complex operators)

The Company will continuously improve its SMS12 and safety performance.

12
 Safety Management Toolkit - Non Complex Operators - Guidance

The Safety Manager performs a review of the SMS (how effectively goals and objectives were
met) and he/she provides a report13 on the SMS (how effectively the SMS works, the stage of
implementation, results of audits and review of actions, any issues/challenges and proposals
for improvement) annually to the Accountable Manager.

Improvement of the SMS14

Continuous improvement of the SMS is achieved through:

• Assessment of how the SMS is functioning;

• Identification and analysis of possible issues/challenges associated with the running of

the SMS;

• Implementing changes aimed at improving the SMS;

• Monitoring and reviewing the effects of any changes.

Continuous improvement can also be achieved when the SMS is already functioning well.

Measures that can improve the SMS include:

• Simplified procedures;

• Improved safety reviews, studies and audits;

• Improved reporting and analysis tools;

• Improved hazard identification and risk assessment processes, and improved awareness
of risks in the Company;

• Improved relations with the subcontractors, suppliers and customers regarding safety;

• Improved communication processes, including feedback from the personnel.

Continuous improvement of the SMS may target any component of the SMS, in other words
any subject addressed in this SMM with the objective of increasing the effectiveness of the
system over time.

Chapter 9 – Contracted Activities

Cf. ORO.GEN.205 and related AMC1 and GM1

The AMC only mentions continuous improvement of the safety performance

(the output of the SMS), not improvement of the SMS.
13

Not in the EASA AMC.

14

Not in the Implementing Rules and the EASA AMC.

 Safety Management Toolkit - Non Complex Operators - Guidance

Insert a separate document or table with your contracted activities and the contracted
organisations.
Chapter 10 – Safety Promotion

Safety Promotion is a process aimed at promoting a culture of safety. All personnel are made
aware of the safety risks, and understand how they are key safety actors and that they all
contribute to an effective SMS.

Managers are important actors in the Company’s SMS. In all the activities they manage, they
demonstrate commitment to safety and take care of safety aspects. They lead by example and
have an essential role to play for safety promotion.

Training and effective communication on safety are two important processes supporting safety
promotion.

Chapter 11 – Training and Communication on Safety

Cf. ORO.GEN.200(a)(4) and related AMCs/GM

11.1 Training

There is a link between training and safety risk management, as training and competence
development is one of the means by which safety risks can be reduced. Other types of risk
controls concern equipment or organisational factors (e.g. procedures), which in turn can also
be addressed in training.

The safety training programme may consist of a mix of self-study using various sources of
training material, class-room training, e-learning or other training types.
Note: As the SMS matures, and unless otherwise prescribed by implementing rules,
training contents and frequency should be linked to the safety risk management
and safety performance monitoring and measurement (dynamic process). The
highest risks and those risks where control particularly depends on personnel
competence should attract more training resources (longer duration, higher
frequency, etc.).

The following table is an example of SMS training that can be conducted for new staff
members (induction training) and provided as recurrent training:

Contents Training Objectives Method/Provider Duration/Validity

Safety Policy Understand the main

elements of the Safety
Policy.
 Safety Management Toolkit - Non Complex Operators - Guidance

Contents Training Objectives Method/Provider Duration/Validity

Organisation, roles Understand the

and responsibilities organisation, roles and
responsibilities
concerning the SMS.
Everyone to know his or
her own role in the SMS.

Safety Objectives Understand the

Company’s safety
objectives.

Emergency Understand the various

Response Planning roles and responsibilities
(ERP) in the Company’s ERP.
(reinforced through Everyone to know his or
practical her own role in the ERP.
simulations)

Occurrence and Know the means and

hazard reporting procedures for reporting
hazards and
occurrences.

Safety Risk Understand the Safety

Management (SRM) Risk Management
process including process. Everyone to
roles and know his or her own role
responsibilities in the SRM.

Continuous Understand the

improvement of principles of continuous
safety performance improvement of safety
performance.

Compliance Understand the basic

Monitoring principles of Compliance
Monitoring.

Responsibility when Understand the

contracting Company’s
activities responsibilities when
contracting activities.
Everyone should know
his or her own roles and
responsibilities regarding
this subject.
 Safety Management Toolkit - Non Complex Operators - Guidance

11.2 Communication

Cf. ORO.GEN.200(a)(4) and related AMCs/GM

Examples of information and communication means are provided below:

• Safety meetings,

• Safety briefings,

• E-mail, postal mail, suggestion boxes,

• Safety information from the OEMs, the authorities, Helicopter Associations and from
national and international Safety Initiatives,

• Safety campaigns, safety posters,

• Newsletters, Company journal,

• Flight safety digests, digest of accidents and incidents (appropriately de-identified), from
within and outside the Company,

• Digest of safety studies, audit reports, survey reports, and safety reviews,

• Company forum(s) or professional networks (e.g. LinkedIn, Facebook, Twitter, etc.),

• Subscription to publications and journals.

 Safety Management Toolkit - Non Complex Operators - Guidance

Appendix 1 – Risk Assessment, Description, Evaluation And Control (RADEC) –

EXAMPLE

RISK ASSESSMENT, DESCRIPTION, EVALUATION AND CONTROL (RADEC) FORM

RA No.: H001 Definition: Confined area landing

Ref.: Sling load Standard Operating Procedures

Operation Description: Sling load operations in mountainous areas

Hazards - What were or could be the sources of potential damage, harm or adverse
health effects in the studied environment?

H 1. Trees and vegetation

H 2. Wires, power lines
H 3. Meteorological conditions
H 4. Wind, turbulence, downdrafts
H 5. Confined landing sites

Possible Hazard Consequences - What were or could be the hazard consequences?

HC 1. Main rotor strikes ground obstacles

HC 2. Tail rotor strikes ground obstacles
HC 3. In flight contact with wires, power lines
HC 4. Ground personnel injuries due to lifted loads or helicopter downdraft
HC 5. Inadvertent or accidental cargo release
HC 6. Damage on ground
HC 7. Power loss in flight
HC 8. Power settling
HC 9. Uncontrolled cargo swing

Controls in place - What risk controls are already in place to address these?

C 1. Minimum size of the landing area (25 m x 25 m)

C 2. Pilot experience: minimum 500 flight hours in aerial work.
C 3. Area must be inspected by Company personnel before landing
C 4. High and low recognition before the first landing
C 5. Sling load operating procedures
C 6. Wire, power lines area mapped before sling load operations

INITIAL Safety Risk - Refer to the Safety Risk Matrix (if you use one)

ACCEPTABLE TOLERABLE UNACCEPTABLE

 Safety Management Toolkit - Non Complex Operators - Guidance

Additional Controls - What more should be done to further reduce Implemented?

the initial safety risks to an acceptable level?

C 7. Personnel on ground to be in radio contact with the pilot YES

C 8. Personnel on ground to wear helmets and personal safety YES
equipment
C 9. Minimum cable length = length of higher obstacle + 15 feet YES
C 10. Maximum take-off weight with cargo reduced by 5% NO
(on-going)

FINAL Safety Risk (see Safety Risk Matrix)

ACCEPTABLE TOLERABLE UNACCEPTABLE

Is the residual risk acceptable: YES NO (if NO go back to previous section)

RISK ASSESSMENT CLOSED

 Safety Management Manual - Non Complex Operators - Guidance

Appendix 2 - Safety Performance Indicators and Objectives (Not binding for non-Complex Operators)

Year 20XX Performance

1 2 3 4 5 6 7 8 9 10 11 12
Item Objectives
Qtr1 Qtr2 Qtr3 Qtr4
1st Half 2nd Half

Edition 2 – 4 Oct 2014 Page 39 of 38